[Discuss] sandboxing web browsers

[tmetro+blu at gmail.com (Tom Metro)]

Mike Small wrote:
> What about creating a second, less privileged user for running firefox...

How about running FF in a Docker container, so not only do you get the
privilege isolation from the different user, but also process isolation
and file system isolation. It would be the next best thing to running it
in a full VM, yet without the overhead.

CPU and RAM limits could similarly be applied.

Of course all that isolation will increase inconvenience. Assuming you
ever up/download things with your browser, you'll need to set up a
Docker volume that maps to something in your host file system so you can
get files in/out of the container.


> ...I run firefox as my main user with no plugins.

Sadly, with almost any attempt at improving browser security, like
disabling cookies or JavaScript, you end up having to have a 2nd
unadulterated browser (or profile) for all the badly written sites that
don't warn when required resources are not available.

(For a very brief while it was common for sites that needed JS or
cookies to warn when they were absent. Now the vast majority of web
developers assume they are always available and sites just mysteriously
break without notice if they aren't.)

My normal routine when things break is to first enable enable JS, then
enable cookies, and if the site still is broken, then switch browsers.


Bill Bogstad wrote:
> Allowing other user ids to write on your screen/capture key & mouse 
> events seem to me to be a potential issue.

Valid point, but you'll still have greatly reduced your attack surface.
An exploit that leverages that probably couldn't be implemented purely
with JS in the browser. It likely would require tricking you into
installing (or doing so via a browser flaw) a plug-in with native code
that uses X library calls. Unless such an exploit is useful in the
single-user normal scenario, unlikely a malicious hacker will bother
(assuming you aren't being specifically targeted and they know your setup).

If this bugs you, try the Docker approach above, plus run a headless X
server in the container and attach to it via VNC.


> I use multiple Firefox user profiles instead. ... This probably doesn't
> help memory usage

I gather from the memory comment that you are running two separate
instances of FF simultaneously.

Generally I find that the controls provided by add-ons allow me to
selective enable those when needed with just a click, but as noted,
there are some cases where sites just seem to refuse to work, and for
those I retreat to a different browser.

 -Tom

-- 
Tom Metro
The Perl Shop, Newton, MA, USA
"Predictable On-demand Perl Consulting."
http://www.theperlshop.com/